To configure Packetbeat, you edit the configuration file. For rpm and deb,
you’ll find the configuration file at /etc/packetbeat/packetbeat.yml. Under
Docker, it’s located at /usr/share/packetbeat/packetbeat.yml. For mac and win,
look in the archive that you just extracted. There’s also a full example
configuration file called packetbeat.reference.yml that shows all non-deprecated
options.

See the
Config File Format section of the
Beats Platform Reference for more about the structure of the config file.

To configure Packetbeat:

Select the network interface from which to capture the traffic.

On
Linux: Packetbeat supports capturing all messages sent or received by the
server on which Packetbeat is installed. For this, use any as the device:

packetbeat.interfaces.device: any

On OS X, capturing from the any device doesn’t work. You would
typically use either lo0 or en0 depending on which traffic you want to
capture.

On Windows, run the following command to list the available network interfaces:

In this example, there’s only one network card, with the index 0, installed on the system. If
there are multiple network cards, remember the index of the device you want to use for
capturing the traffic.

Modify the device line to point to the index of the device:

packetbeat.interfaces.device: 0

In the protocols section, configure the ports on which Packetbeat can find each
protocol. If you use any non-standard ports, add them here. Otherwise, the
default values should do just fine.

To test your configuration file, change to the directory where the
Packetbeat binary is installed, and run Packetbeat in the foreground with
the following options specified: sudo ./packetbeat test config -e. Make sure
your config files are in the path expected by Packetbeat (see
Directory layout), or use the -c flag to specify the path to the config
file. Depending on your OS, you might run into file ownership issues when you
run this test. See
Config File Ownership and Permissions
in the Beats Platform Reference for more information.

Before starting packetbeat, you should look at the configuration options in the
configuration file. For more information about these options, see Configuring Packetbeat.